[Dshield] Road Runner is looking out for it's customers for c hange

Brenden Walker BKWalker at DRBSystems.com
Thu Aug 14 14:50:48 GMT 2003


Must have been, I'm still getting my usual small flurry of port 137 hits...


> -----Original Message-----
> From: Craig Shaw [mailto:CraigS at caamb.mb.ca] 
> Sent: Thursday, August 14, 2003 10:11 AM
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] Road Runner is looking out for it's 
> customers for c hange
> 
> 
> Maybe it was "137,139" not "137-139" :)
> 
> Craig Shaw
> Systems Administrator
> CAA Manitoba
> (204) 262-6035
> craigs at caamanitoba.com
> 
> 
> -----Original Message-----
> From: Brenden Walker [mailto:BKWalker at DRBSystems.com] 
> Sent: 14-Aug-03 08:14
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] Road Runner is looking out for it's 
> customers for c hange
> 
> Well, that would explain why I didn't see any hits on 135 
> during this storm. But it wouldn't explain why I continue to 
> get hits on 137 on a daily basis.. If they blocked 135-139 
> like they said, I wouldn't get these.
> 
> Odd indeed.
> 
> > -----Original Message-----
> > From: R Shady [mailto:RShady at stny.rr.com]
> > Sent: Wednesday, August 13, 2003 7:02 PM
> > To: Dshield
> > Subject: [Dshield] Road Runner is looking out for it's 
> > customers for change
> > 
> > 
> > I haven't had any port scans for 135 since Road Runner 
> blocked ports 
> > 135-139.
> > 
> > Blaster Worm/Virus (W32.Blaster.Worm / W32/Lovsan.worm)
> > According to Symantec, a worm called the W32.Blaster.Worm, 
> > also known as 
> > W32/Lovsan.worm was discovered on 8/11/03. It will cause 
> > systems running 
> > Windows 2000 or Windows XP to crash, prevent Internet access and 
> > compromise the security settings by opening a hidden remote cmd.exe 
> > shell. This worm will attempt to download and run a file named 
> > "Msblast.exe." It will then block access to TCP port 4444 at the 
> > firewall level, and then block the following ports, if they 
> > do not use 
> > TCP Port 135, "DCOM RPC" or UDP Port 69, "TFTP." The worm will also 
> > attempt to perform a Denial of Service (DoS) on 
> > windowsupdate.com. This 
> > is an attempt to prevent you from applying a patch on your computer 
> > against the DCOM RPC vulnerability.
> > 
> > To prevent this worm from spreading, Road Runner has blocked ports
> > 135-139 and port 145, both inbound and outbound on each 
> router. This 
> > will not only stop the spread of the virus on our network 
> and protect 
> > you, but it will also disable the ability for you to use File 
> > and Print 
> > Sharing between computers outside of your home network (i.e. 
> > beyond your 
> > modem). It may also disable your ability to log into 
> Exchange e-mail 
> > servers without using VPN or another secure connection method.
> > 
> > 
> > What You Can Do To Prevent Infection
> > 
> > To prevent infection from this worm, go to
> > http://windowsupdate.microsoft.com and install the latest critical 
> > updates. For more information on the vulnerability that this worm 
> > exploits, and to find out which Symantec products can help 
> alleviate 
> > risks from this vulnerability, go to 
> > http://securityresponse.symantec.com/avcenter/security/Content
> /8205.html.
> 
> 
> If You Have Been Infected
> 
> You must stop the Trojan process by performing the following:
> 
> As soon as your computer boots up, press the Control, Alt, and Delete
> buttons at the same time. This should open your Task Manager 
> window. Click
> the Processes tab. Double-click the Image Name column header to
> alphabetically sort the processes. Scroll through the list 
> and look for a
> file called msblast.exe. Click to highlight the file and then 
> click the End
> Process button at the 
> bottom of the window.
> Close the Task Manager window.
> Open your browser and go to 
> http://securityresponse.symantec.com/avcenter/venc/data/w32.bl
aster.worm.rem
oval.tool.html. 

Follow the instructions for obtaining and running Symantec's 
W32.Blaster.Worm Removal Tool.
Then, after running the tool, go to http://windowsupdate.microsoft.com 
and update your Windows operating system with the latest patches to 
prevent you from being infected again.




_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list